Event Details
Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Logon/Logoff->IPsec Quick Mode->EventID 4654 - An IPsec quick mode negotiation failed.
EventID 4654 - An IPsec quick mode negotiation failed.

Find more information about this event on ultimatewindowssecurity.com.
 Sample: 
===========================
Description template stored in adtschema.dll:
===========================
An IPsec quick mode negotiation failed.

Local Endpoint:
	Network Address:	%1
	Network Address mask:	%2
	Port:			%3
	Tunnel Endpoint:		%4

Remote Endpoint:
	Network Address:	%5
	Address Mask:		%6
	Port:			%7
	Tunnel Endpoint:		%8
	Private Address:		%10

Additional Information:
	Protocol:		%9
	Keying Module Name:	%11
	Virtual Interface Tunnel ID:	%20
	Traffic Selector ID:	%21
	Mode:			%14
	Role:			%16
	Quick Mode Filter ID:	%18
	Main Mode SA ID:	%19

Failure Information:
	State:			%15
	Message ID:		%17
	Failure Point:		%12
	Failure Reason:		%13
Log Type: Windows Event Log
 Uniquely Identified By:
Log Name: Security
Filtering Field Equals to Value
OSVersion Windows Vista (2008)
Windows 7 (2008 R2)
Windows 8 (2012)
Windows 8.1 (2012 R2)
Windows 10 (2016)
Category Logon/Logoff
Source Microsoft-Windows-Security-Auditing
TaskCategory IPsec Quick Mode
EventId 4654
Field Matching
FieldDescriptionStored inSample Value
DateTime Date/Time of event origination in GMT format. DateTime 10.10.2000 19:00:00
Source Name of an Application or System Service originating the event. Source Security
Type Warning, Information, Error, Success, Failure, etc. Type Success
User Domain\Account name of user/service/computer initiating event. User RESEARCH\Alebovsky
Computer Name of server workstation where event was logged. Computer DC1
EventID Numerical ID of event. Unique within one Event Source. EventId 576
Description The entire unparsed event message. Description Special privileges assigned to new logon.
Log Name The name of the event log (e.g. Application, Security, System, etc.) LogName Security
Task Category A name for a subclass of events within the same Event Source. TaskCategory
Level Warning, Information, Error, etc. Level
Keywords Audit Success, Audit Failure, Classic, Connection etc. Keywords
Category A name for an aggergative event class, corresponding to the similar ones present in Windows 2003 version. Category Account Logon
Object Name -
Whom -
Object Type -
Class Name -
Security ID -
Account Name -
Account Domain -
Local Endpoint: Network Address InsertionString1 %1
Local Endpoint: Network Address mask InsertionString2 %2
Local Endpoint: Port InsertionString3 %3
Local Endpoint: Tunnel Endpoint InsertionString4 %4
Remote Endpoint: Network Address InsertionString5 %5
Remote Endpoint: Address Mask InsertionString6 %6
Remote Endpoint: Port InsertionString7 %7
Remote Endpoint: Tunnel Endpoint InsertionString8 %8
Remote Endpoint: Private Address InsertionString10 %10
Additional Information: Protocol InsertionString9 %9
Additional Information: Keying Module Name InsertionString11 %11
Additional Information: Mode InsertionString14 %14
Additional Information: Role InsertionString16 %16
Additional Information: Quick Mode Filter ID InsertionString18 %18
Additional Information: Main Mode SA ID InsertionString19 %19
Failure Information: State InsertionString15 %15
Failure Information: Message ID InsertionString17 %17
Failure Information: Failure Point InsertionString12 %12
Failure Information: Failure Reason InsertionString13 %13
Additional Information: Virtual Interface Tunnel ID InsertionString20 %20
Additional Information: Traffic Selector ID InsertionString21 %21
Comments
You must be logged in to comment